[apparmor] [Bug 770671] Re: Some way control logging per application

John Johansen john.johansen at canonical.com
Tue Apr 26 09:34:54 UTC 2011 

AppArmor could indeed use better auditing controls, and several
improvements are on the road map.  There is however a feature that you
can use today that might help.

AppArmor allows for deny rules, that record in a profile that a specific
is expected and should be denied.  This provides the tools a way to
remember what accesses have been explicitly denied in the past.  It also
quiets the logging of any access that matches the deny rule.

  Eg.
    deny /etc/password w,

  would quiet logging of write accesses to /etc/password but not read
accesses.

If you need/want denied rule to be logged it can have the audit keyword prepended.
  audit deny /etc/password w,

In this case the deny rule only serves as a hint to the profile learning
tools that this access has been logged before and explicitly denied, so
that the tools do not ask about log entries that match.

Deny rules have one more property that you must be aware of, they subtract permissions from the allow set
  deny /etc/password w,
  /etc/** rw,

would allow read, write access to all file in /etc/ except /etc/password
which will only have read access because write access has been denied.
You can think of this as all the permissions for allow rules are
accumulated in one set and all the permissions associated with deny
rules are accumulated in a second set, and then the deny set is
subtracted from the allow set.

Deny rules work with globbing
   deny /etc/** w,

and also with network and capability rules.


** Changed in: apparmor
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/770671

Title:
  Some way control logging per application

Status in AppArmor Linux application security framework:
  New

Bug description:
  I couldn't find a place to report feature requests so I'm adding this
  here.

  AppArmor really needs a way to control logging of denials/violations
  on a per profile basis. Right now I have a program that I have
  restricted beyond what it wants in order to keep it safe (for me). The
  program still works fine but does not have access to some resources.
  Nonetheless it still tries regularly (every few seconds) to access
  these resources. Right now I have no way to prevent my logs from
  filling with garbage messages from these attempts and this makes it
  hard to see anything legitimate in the logs.

  For now I have added rsyslog rule to filter the apparmor logs into an
  independent file but it would be much better if there were a apparmor
  profile option to disable or redirect logging just for that profile.

More information about the AppArmor mailing list